{ config, lib, ... }: { options.sysconfig.opts.virtualization.traefik.enable = lib.options.mkOption { type = lib.types.bool; default = false; }; config = lib.mkIf config.sysconfig.opts.virtualization.traefik.enable { containers.traefik = { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.11"; forwardPorts = [ { containerPort = 80; hostPort = 80; } { containerPort = 443; hostPort = 443; } { containerPort = 9080; hostPort = 9080; } { containerPort = 9443; hostPort = 9443; } ]; bindMounts = { "/etc/traefik/data" = { hostPath = "/ssd1/Traefik/data"; isReadOnly = false; }; }; config = { services.traefik = { enable = true; dataDir = "/etc/traefik/data"; environmentFiles = [ "/etc/traefik/data/traefik.env" ]; staticConfigOptions = { serversTransport.insecureSkipVerify = true; api = { dashboard = true; debug = true; }; global = { checknewversion = false; sendanonymoususage = false; }; entryPoints = { local = { address = ":9080"; http.redirections.entryPoint = { to = "localsecure"; scheme = "https"; }; }; localsecure = { address = ":9443"; asDefault = true; http.tls.certResolver = "cloudflare"; }; web = { address = ":80"; http.redirections.entryPoint = { to = "websecure"; scheme = "https"; }; }; websecure = { address = ":443"; asDefault = true; http.tls = { certResolver = "cloudflare"; domains = { main = "blunkall.us"; sans = [ "*.local.blunkall.us" "*.blunkall.us" "blunkall.us" ]; }; }; }; }; log = { level = "DEBUG"; filePath = "/etc/traefik/data/traefik.log"; format = "json"; }; certificatesResolvers = { cloudflare = { acme = { email = "nathanblunkall5@gmail.com"; storage = "/etc/traefik/data/acme.json"; keyType = "EC256"; dnsChallenge = { provider = "cloudflare"; resolvers = [ "1.1.1.1:53" "1.0.0.1:53" ]; }; }; }; /*letsencrypt.acme = { email = "postmaster@blunkall.us"; storage = "/root/data/acme.json"; httpChallenge.entryPoint = "web"; };*/ }; }; dynamicConfigOptions = { http = { routers = { homepageSecure = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`blunkall.us`) || Host(`www.blunkall.us`)"; service = "homepage"; tls.certResolver = "cloudflare"; middlewares = [ "authentik" ]; }; nathan = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`nathan.blunkall.us`)"; service = "homepage"; tls.certResolver = "cloudflare"; }; remote = { entryPoints = [ "websecure" ]; rule = "Host(`remote.blunkall.us`)"; service = "homepage"; middlewares = [ "authentik" ]; tls.certResolver = "cloudflare"; }; jellyfin = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`jellyfin.blunkall.us`)"; service = "jellyfin"; tls.certResolver = "cloudflare"; }; auth = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`auth.blunkall.us`)"; service = "authentik"; tls.certResolver = "cloudflare"; }; gitlab = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`gitlab.blunkall.us`)"; service = "gitlab"; tls.certResolver = "cloudflare"; #middlewares = [ "authentik" ]; }; nextcloud = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`nextcloud.blunkall.us`)"; service = "nextcloud"; tls.certResolver = "cloudflare"; middlewares = [ "nextcloud_redirectregex" ]; }; traefik = { entryPoints = [ "localsecure" ]; rule = "Host(`traefik.local.blunkall.us`)"; service = "api@internal"; tls.certResolver = "cloudflare"; }; pihole = { entryPoints = [ "localsecure" ]; rule = "Host(`pihole.local.blunkall.us`)"; service = "pihole"; tls.certResolver = "cloudflare"; }; }; middlewares = { authentik.forwardAuth = { address = "http://192.168.100.10:9000/outpost.goauthentik.io/auth/traefik"; trustForwardHeader = true; authResponseHeaders = [ "X-authentik-username" "X-authentik-groups" "X-authentik-email" "X-authentik-name" "X-authentik-uid" "X-authentik-jwt" "X-authentik-meta-jwks" "X-authentik-meta-outpost" "X-authentik-meta-provider" "X-authentik-meta-app" "X-authentik-meta-version" ]; }; nextcloud_redirectregex.redirectregex = { permanent = true; regex = "https://nextcloud.blunkall.us/.well-known/(?:card|cal)dav"; replacement = "https://nextcloud.blunkall.us/remote.php/dav"; }; }; services = { gitlab.loadBalancer.servers = [ { url = "http://192.168.100.16:80"; } ]; homepage.loadBalancer.servers = [ { url = "http://192.168.100.13:80"; } ]; jellyfin.loadBalancer.servers = [ { url = "http://192.168.100.14:8096"; } ]; authentik.loadBalancer.servers = [ { url = "http://192.168.100.10:9000"; } ]; pihole.loadBalancer.servers = [ { url = "http://192.168.100.10:8080"; } ]; nextcloud.loadBalancer.servers = [ { url = "http://192.168.100.15:80"; } ]; }; }; }; }; networking.firewall.allowedTCPPorts = [ 80 443 9080 9443 ]; networking.firewall.allowedUDPPorts = [ 80 443 ]; system.stateVersion = "24.05"; }; }; }; }